Search in sources :

Example 16 with NiFiAuthenticationToken

use of org.apache.nifi.web.security.token.NiFiAuthenticationToken in project nifi by apache.

the class AccessResource method getAccessStatus.

/**
 * Gets the status the client's access.
 *
 * @param httpServletRequest the servlet request
 * @return A accessStatusEntity
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("")
@ApiOperation(value = "Gets the status the client's access", notes = NON_GUARANTEED_ENDPOINT, response = AccessStatusEntity.class)
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = 403, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = 500, message = "Unable to determine access status because an unexpected error occurred.") })
public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
    // only consider user specific access over https
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("User authentication/authorization is only supported when running over HTTPS.");
    }
    final AccessStatusDTO accessStatus = new AccessStatusDTO();
    try {
        final X509Certificate[] certificates = certificateExtractor.extractClientCertificate(httpServletRequest);
        // if there is not certificate, consider a token
        if (certificates == null) {
            // look for an authorization token
            final String authorization = httpServletRequest.getHeader(JwtAuthenticationFilter.AUTHORIZATION);
            // if there is no authorization header, we don't know the user
            if (authorization == null) {
                accessStatus.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                accessStatus.setMessage("No credentials supplied, unknown user.");
            } else {
                try {
                    // Extract the Base64 encoded token from the Authorization header
                    final String token = StringUtils.substringAfterLast(authorization, " ");
                    final JwtAuthenticationRequestToken jwtRequest = new JwtAuthenticationRequestToken(token, httpServletRequest.getRemoteAddr());
                    final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) jwtAuthenticationProvider.authenticate(jwtRequest);
                    final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                    // set the user identity
                    accessStatus.setIdentity(nifiUser.getIdentity());
                    // attempt authorize to /flow
                    accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    accessStatus.setMessage("You are already logged in.");
                } catch (JwtException e) {
                    throw new InvalidAuthenticationException(e.getMessage(), e);
                }
            }
        } else {
            try {
                final X509AuthenticationRequestToken x509Request = new X509AuthenticationRequestToken(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN), principalExtractor, certificates, httpServletRequest.getRemoteAddr());
                final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(x509Request);
                final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                // set the user identity
                accessStatus.setIdentity(nifiUser.getIdentity());
                // attempt authorize to /flow
                accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                accessStatus.setMessage("You are already logged in.");
            } catch (final IllegalArgumentException iae) {
                throw new InvalidAuthenticationException(iae.getMessage(), iae);
            }
        }
    } catch (final UntrustedProxyException upe) {
        throw new AccessDeniedException(upe.getMessage(), upe);
    } catch (final AuthenticationServiceException ase) {
        throw new AdministrationException(ase.getMessage(), ase);
    }
    // create the entity
    final AccessStatusEntity entity = new AccessStatusEntity();
    entity.setAccessStatus(accessStatus);
    return generateOkResponse(entity).build();
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AccessStatusEntity(org.apache.nifi.web.api.entity.AccessStatusEntity) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) JwtAuthenticationRequestToken(org.apache.nifi.web.security.jwt.JwtAuthenticationRequestToken) AccessStatusDTO(org.apache.nifi.web.api.dto.AccessStatusDTO) AdministrationException(org.apache.nifi.admin.service.AdministrationException) X509AuthenticationRequestToken(org.apache.nifi.web.security.x509.X509AuthenticationRequestToken) X509Certificate(java.security.cert.X509Certificate) InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException) JwtException(io.jsonwebtoken.JwtException) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 17 with NiFiAuthenticationToken

use of org.apache.nifi.web.security.token.NiFiAuthenticationToken in project nifi by apache.

the class ProcessGroupResource method submitUpdateVariableRegistryRequest.

/**
 * Updates the variable registry for the specified process group.
 *
 * @param httpServletRequest request
 * @param groupId The id of the process group.
 * @param requestVariableRegistryEntity the Variable Registry Entity
 * @return A Variable Registry Entry.
 */
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}/variable-registry/update-requests")
@ApiOperation(value = "Submits a request to update a process group's variable registry", response = VariableRegistryUpdateRequestEntity.class, notes = NON_GUARANTEED_ENDPOINT, authorizations = { @Authorization(value = "Write - /process-groups/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response submitUpdateVariableRegistryRequest(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The process group id.", required = true) @PathParam("id") final String groupId, @ApiParam(value = "The variable registry configuration details.", required = true) final VariableRegistryEntity requestVariableRegistryEntity) {
    if (requestVariableRegistryEntity == null || requestVariableRegistryEntity.getVariableRegistry() == null) {
        throw new IllegalArgumentException("Variable Registry details must be specified.");
    }
    if (requestVariableRegistryEntity.getProcessGroupRevision() == null) {
        throw new IllegalArgumentException("Process Group Revision must be specified.");
    }
    // In order to update variables in a variable registry, we have to perform the following steps:
    // 1. Determine Affected Components (this includes any Processors and Controller Services and any components that reference an affected Controller Service).
    // 1a. Determine ID's of components
    // 1b. Determine Revision's of associated components
    // 2. Stop All Active Affected Processors
    // 3. Disable All Active Affected Controller Services
    // 4. Update the Variables
    // 5. Re-Enable all previously Active Affected Controller Services (services only, not dependent components)
    // 6. Re-Enable all previously Active Processors that Depended on the Controller Services
    // Determine the affected components (and their associated revisions)
    final VariableRegistryEntity computedEntity = serviceFacade.populateAffectedComponents(requestVariableRegistryEntity.getVariableRegistry());
    final VariableRegistryDTO computedRegistryDto = computedEntity.getVariableRegistry();
    if (computedRegistryDto == null) {
        throw new ResourceNotFoundException(String.format("Unable to locate group with id '%s'.", groupId));
    }
    final Set<AffectedComponentEntity> allAffectedComponents = serviceFacade.getComponentsAffectedByVariableRegistryUpdate(requestVariableRegistryEntity.getVariableRegistry());
    final Set<AffectedComponentDTO> activeAffectedComponents = serviceFacade.getActiveComponentsAffectedByVariableRegistryUpdate(requestVariableRegistryEntity.getVariableRegistry());
    final Map<String, List<AffectedComponentDTO>> activeAffectedComponentsByType = activeAffectedComponents.stream().collect(Collectors.groupingBy(comp -> comp.getReferenceType()));
    final List<AffectedComponentDTO> activeAffectedProcessors = activeAffectedComponentsByType.get(AffectedComponentDTO.COMPONENT_TYPE_PROCESSOR);
    final List<AffectedComponentDTO> activeAffectedServices = activeAffectedComponentsByType.get(AffectedComponentDTO.COMPONENT_TYPE_CONTROLLER_SERVICE);
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    // define access authorize for execution below
    final AuthorizeAccess authorizeAccess = lookup -> {
        final Authorizable groupAuthorizable = lookup.getProcessGroup(groupId).getAuthorizable();
        groupAuthorizable.authorize(authorizer, RequestAction.WRITE, user);
        // (because this action requires stopping the component).
        if (activeAffectedProcessors != null) {
            for (final AffectedComponentDTO activeAffectedComponent : activeAffectedProcessors) {
                final Authorizable authorizable = lookup.getProcessor(activeAffectedComponent.getId()).getAuthorizable();
                authorizable.authorize(authorizer, RequestAction.READ, user);
                authorizable.authorize(authorizer, RequestAction.WRITE, user);
            }
        }
        if (activeAffectedServices != null) {
            for (final AffectedComponentDTO activeAffectedComponent : activeAffectedServices) {
                final Authorizable authorizable = lookup.getControllerService(activeAffectedComponent.getId()).getAuthorizable();
                authorizable.authorize(authorizer, RequestAction.READ, user);
                authorizable.authorize(authorizer, RequestAction.WRITE, user);
            }
        }
    };
    if (isReplicateRequest()) {
        // authorize access
        serviceFacade.authorizeAccess(authorizeAccess);
        // update the variable registry
        final VariableRegistryUpdateRequest updateRequest = createVariableRegistryUpdateRequest(groupId, allAffectedComponents, user);
        updateRequest.getIdentifyRelevantComponentsStep().setComplete(true);
        final URI originalUri = getAbsolutePath();
        // Submit the task to be run in the background
        final Runnable taskWrapper = () -> {
            try {
                // set the user authentication token
                final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(user));
                SecurityContextHolder.getContext().setAuthentication(authentication);
                updateVariableRegistryReplicated(groupId, originalUri, activeAffectedProcessors, activeAffectedServices, updateRequest, requestVariableRegistryEntity);
                // ensure the request is marked complete
                updateRequest.setComplete(true);
            } catch (final Exception e) {
                logger.error("Failed to update variable registry", e);
                updateRequest.setComplete(true);
                updateRequest.setFailureReason("An unexpected error has occurred: " + e);
            } finally {
                // clear the authentication token
                SecurityContextHolder.getContext().setAuthentication(null);
            }
        };
        variableRegistryThreadPool.submit(taskWrapper);
        final VariableRegistryUpdateRequestEntity responseEntity = new VariableRegistryUpdateRequestEntity();
        responseEntity.setRequest(dtoFactory.createVariableRegistryUpdateRequestDto(updateRequest));
        responseEntity.setProcessGroupRevision(updateRequest.getProcessGroupRevision());
        responseEntity.getRequest().setUri(generateResourceUri("process-groups", groupId, "variable-registry", "update-requests", updateRequest.getRequestId()));
        final URI location = URI.create(responseEntity.getRequest().getUri());
        return Response.status(Status.ACCEPTED).location(location).entity(responseEntity).build();
    }
    final UpdateVariableRegistryRequestWrapper requestWrapper = new UpdateVariableRegistryRequestWrapper(allAffectedComponents, activeAffectedProcessors, activeAffectedServices, requestVariableRegistryEntity);
    final Revision requestRevision = getRevision(requestVariableRegistryEntity.getProcessGroupRevision(), groupId);
    return withWriteLock(serviceFacade, requestWrapper, requestRevision, authorizeAccess, null, (revision, wrapper) -> updateVariableRegistryLocal(groupId, wrapper.getAllAffectedComponents(), wrapper.getActiveAffectedProcessors(), wrapper.getActiveAffectedServices(), user, revision, wrapper.getVariableRegistryEntity()));
}
Also used : FunnelsEntity(org.apache.nifi.web.api.entity.FunnelsEntity) Produces(javax.ws.rs.Produces) InstantiateTemplateRequestEntity(org.apache.nifi.web.api.entity.InstantiateTemplateRequestEntity) ApiParam(io.swagger.annotations.ApiParam) SiteToSiteRestApiClient(org.apache.nifi.remote.util.SiteToSiteRestApiClient) ConnectionDTO(org.apache.nifi.web.api.dto.ConnectionDTO) ComponentAuthorizable(org.apache.nifi.authorization.ComponentAuthorizable) StringUtils(org.apache.commons.lang3.StringUtils) ClientIdParameter(org.apache.nifi.web.api.request.ClientIdParameter) ProcessorEntity(org.apache.nifi.web.api.entity.ProcessorEntity) AuthorizeAccess(org.apache.nifi.authorization.AuthorizeAccess) VariableRegistryUpdateStep(org.apache.nifi.registry.variable.VariableRegistryUpdateStep) PositionDTO(org.apache.nifi.web.api.dto.PositionDTO) MediaType(javax.ws.rs.core.MediaType) ProcessGroupDTO(org.apache.nifi.web.api.dto.ProcessGroupDTO) NiFiRegistryException(org.apache.nifi.registry.client.NiFiRegistryException) Map(java.util.Map) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException) UriBuilder(javax.ws.rs.core.UriBuilder) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) ConnectionsEntity(org.apache.nifi.web.api.entity.ConnectionsEntity) FunnelEntity(org.apache.nifi.web.api.entity.FunnelEntity) VariableRegistryUpdateRequest(org.apache.nifi.registry.variable.VariableRegistryUpdateRequest) ControllerServicesEntity(org.apache.nifi.web.api.entity.ControllerServicesEntity) Set(java.util.Set) InputPortsEntity(org.apache.nifi.web.api.entity.InputPortsEntity) Executors(java.util.concurrent.Executors) ArrayBlockingQueue(java.util.concurrent.ArrayBlockingQueue) FormDataParam(org.glassfish.jersey.media.multipart.FormDataParam) ProcessGroupsEntity(org.apache.nifi.web.api.entity.ProcessGroupsEntity) FlowComparisonEntity(org.apache.nifi.web.api.entity.FlowComparisonEntity) ScheduledState(org.apache.nifi.controller.ScheduledState) LabelsEntity(org.apache.nifi.web.api.entity.LabelsEntity) UriInfo(javax.ws.rs.core.UriInfo) ApiImplicitParams(io.swagger.annotations.ApiImplicitParams) DtoFactory(org.apache.nifi.web.api.dto.DtoFactory) Entity(org.apache.nifi.web.api.entity.Entity) GET(javax.ws.rs.GET) ControllerServiceEntity(org.apache.nifi.web.api.entity.ControllerServiceEntity) ConfigurableComponent(org.apache.nifi.components.ConfigurableComponent) TemplateEntity(org.apache.nifi.web.api.entity.TemplateEntity) RevisionDTO(org.apache.nifi.web.api.dto.RevisionDTO) HttpMethod(javax.ws.rs.HttpMethod) HttpServletRequest(javax.servlet.http.HttpServletRequest) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) Api(io.swagger.annotations.Api) VariableRegistryDTO(org.apache.nifi.web.api.dto.VariableRegistryDTO) FlowDTO(org.apache.nifi.web.api.dto.flow.FlowDTO) VersionedFlowState(org.apache.nifi.registry.flow.VersionedFlowState) NiFiServiceFacade(org.apache.nifi.web.NiFiServiceFacade) AuthorizableLookup(org.apache.nifi.authorization.AuthorizableLookup) RequestAction(org.apache.nifi.authorization.RequestAction) FlowEncodingVersion(org.apache.nifi.controller.serialization.FlowEncodingVersion) JAXBElement(javax.xml.bind.JAXBElement) RemoteProcessGroupsEntity(org.apache.nifi.web.api.entity.RemoteProcessGroupsEntity) IOException(java.io.IOException) VersionedFlowSnapshot(org.apache.nifi.registry.flow.VersionedFlowSnapshot) Authorizer(org.apache.nifi.authorization.Authorizer) ApiResponse(io.swagger.annotations.ApiResponse) FlowEntity(org.apache.nifi.web.api.entity.FlowEntity) AffectedComponentEntity(org.apache.nifi.web.api.entity.AffectedComponentEntity) OutputPortsEntity(org.apache.nifi.web.api.entity.OutputPortsEntity) ScheduleComponentsEntity(org.apache.nifi.web.api.entity.ScheduleComponentsEntity) XmlUtils(org.apache.nifi.security.xml.XmlUtils) BundleCoordinate(org.apache.nifi.bundle.BundleCoordinate) ProcessorConfigDTO(org.apache.nifi.web.api.dto.ProcessorConfigDTO) Date(java.util.Date) ConnectableType(org.apache.nifi.connectable.ConnectableType) ProcessorStatusDTO(org.apache.nifi.web.api.dto.status.ProcessorStatusDTO) URISyntaxException(java.net.URISyntaxException) LoggerFactory(org.slf4j.LoggerFactory) Path(javax.ws.rs.Path) BundleDTO(org.apache.nifi.web.api.dto.BundleDTO) ApiOperation(io.swagger.annotations.ApiOperation) AuthorizeControllerServiceReference(org.apache.nifi.authorization.AuthorizeControllerServiceReference) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) TemplateDTO(org.apache.nifi.web.api.dto.TemplateDTO) ActivateControllerServicesEntity(org.apache.nifi.web.api.entity.ActivateControllerServicesEntity) XMLStreamReader(javax.xml.stream.XMLStreamReader) DefaultValue(javax.ws.rs.DefaultValue) URI(java.net.URI) ThreadFactory(java.util.concurrent.ThreadFactory) NodeResponse(org.apache.nifi.cluster.manager.NodeResponse) DELETE(javax.ws.rs.DELETE) Context(javax.ws.rs.core.Context) Authorizable(org.apache.nifi.authorization.resource.Authorizable) ControllerServiceDTO(org.apache.nifi.web.api.dto.ControllerServiceDTO) ApiImplicitParam(io.swagger.annotations.ApiImplicitParam) Collection(java.util.Collection) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) SnippetAuthorizable(org.apache.nifi.authorization.SnippetAuthorizable) UUID(java.util.UUID) BundleUtils(org.apache.nifi.util.BundleUtils) PortEntity(org.apache.nifi.web.api.entity.PortEntity) LongParameter(org.apache.nifi.web.api.request.LongParameter) JAXBException(javax.xml.bind.JAXBException) Collectors(java.util.stream.Collectors) List(java.util.List) Response(javax.ws.rs.core.Response) ProcessGroupEntity(org.apache.nifi.web.api.entity.ProcessGroupEntity) ProcessorDTO(org.apache.nifi.web.api.dto.ProcessorDTO) ControllerServiceState(org.apache.nifi.controller.service.ControllerServiceState) CopySnippetRequestEntity(org.apache.nifi.web.api.entity.CopySnippetRequestEntity) Authentication(org.springframework.security.core.Authentication) Pause(org.apache.nifi.web.util.Pause) FlowSnippetDTO(org.apache.nifi.web.api.dto.FlowSnippetDTO) RemoteProcessGroupDTO(org.apache.nifi.web.api.dto.RemoteProcessGroupDTO) PathParam(javax.ws.rs.PathParam) Bucket(org.apache.nifi.registry.bucket.Bucket) Revision(org.apache.nifi.web.Revision) ThreadPoolExecutor(java.util.concurrent.ThreadPoolExecutor) HashMap(java.util.HashMap) ApiResponses(io.swagger.annotations.ApiResponses) Function(java.util.function.Function) AffectedComponentDTO(org.apache.nifi.web.api.dto.AffectedComponentDTO) ConcurrentMap(java.util.concurrent.ConcurrentMap) FlowRegistryUtils(org.apache.nifi.registry.flow.FlowRegistryUtils) CreateTemplateRequestEntity(org.apache.nifi.web.api.entity.CreateTemplateRequestEntity) VersionControlInformationDTO(org.apache.nifi.web.api.dto.VersionControlInformationDTO) VariableRegistryUpdateRequestEntity(org.apache.nifi.web.api.entity.VariableRegistryUpdateRequestEntity) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Status(javax.ws.rs.core.Response.Status) JAXBContext(javax.xml.bind.JAXBContext) ExecutorService(java.util.concurrent.ExecutorService) Unmarshaller(javax.xml.bind.Unmarshaller) TemplateContentsAuthorizable(org.apache.nifi.authorization.TemplateContentsAuthorizable) Logger(org.slf4j.Logger) POST(javax.ws.rs.POST) ProcessorsEntity(org.apache.nifi.web.api.entity.ProcessorsEntity) VariableRegistryEntity(org.apache.nifi.web.api.entity.VariableRegistryEntity) VersionedFlow(org.apache.nifi.registry.flow.VersionedFlow) MultivaluedHashMap(javax.ws.rs.core.MultivaluedHashMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) TimeUnit(java.util.concurrent.TimeUnit) Consumer(java.util.function.Consumer) LabelEntity(org.apache.nifi.web.api.entity.LabelEntity) ConnectionEntity(org.apache.nifi.web.api.entity.ConnectionEntity) ProcessGroupAuthorizable(org.apache.nifi.authorization.ProcessGroupAuthorizable) RemoteProcessGroupEntity(org.apache.nifi.web.api.entity.RemoteProcessGroupEntity) NiFiUserUtils(org.apache.nifi.authorization.user.NiFiUserUtils) PUT(javax.ws.rs.PUT) Authorization(io.swagger.annotations.Authorization) Collections(java.util.Collections) InputStream(java.io.InputStream) VariableRegistryUpdateRequest(org.apache.nifi.registry.variable.VariableRegistryUpdateRequest) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) VariableRegistryDTO(org.apache.nifi.web.api.dto.VariableRegistryDTO) URI(java.net.URI) ComponentAuthorizable(org.apache.nifi.authorization.ComponentAuthorizable) Authorizable(org.apache.nifi.authorization.resource.Authorizable) SnippetAuthorizable(org.apache.nifi.authorization.SnippetAuthorizable) TemplateContentsAuthorizable(org.apache.nifi.authorization.TemplateContentsAuthorizable) ProcessGroupAuthorizable(org.apache.nifi.authorization.ProcessGroupAuthorizable) List(java.util.List) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException) AffectedComponentEntity(org.apache.nifi.web.api.entity.AffectedComponentEntity) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) VariableRegistryUpdateRequestEntity(org.apache.nifi.web.api.entity.VariableRegistryUpdateRequestEntity) VariableRegistryEntity(org.apache.nifi.web.api.entity.VariableRegistryEntity) NiFiRegistryException(org.apache.nifi.registry.client.NiFiRegistryException) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException) IOException(java.io.IOException) URISyntaxException(java.net.URISyntaxException) JAXBException(javax.xml.bind.JAXBException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) AuthorizeAccess(org.apache.nifi.authorization.AuthorizeAccess) Revision(org.apache.nifi.web.Revision) Authentication(org.springframework.security.core.Authentication) AffectedComponentDTO(org.apache.nifi.web.api.dto.AffectedComponentDTO) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 18 with NiFiAuthenticationToken

use of org.apache.nifi.web.security.token.NiFiAuthenticationToken in project nifi by apache.

the class StandardNiFiServiceFacadeTest method testGetActionApprovedThroughController.

@Test
public void testGetActionApprovedThroughController() throws Exception {
    // set the user
    final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build()));
    SecurityContextHolder.getContext().setAuthentication(authentication);
    // get the action
    final ActionEntity entity = serviceFacade.getAction(ACTION_ID_2);
    // verify
    assertEquals(ACTION_ID_2, entity.getId());
    assertTrue(entity.getCanRead());
    // component does not exists, so only checks against the controller
    verify(authorizer, times(0)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {

        @Override
        public boolean matches(Object o) {
            return ((AuthorizationRequest) o).getResource().getIdentifier().endsWith(PROCESSOR_ID_2);
        }
    }));
    verify(authorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {

        @Override
        public boolean matches(Object o) {
            return ((AuthorizationRequest) o).getResource().equals(ResourceFactory.getControllerResource());
        }
    }));
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Authentication(org.springframework.security.core.Authentication) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) ArgumentMatcher(org.mockito.ArgumentMatcher) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) ActionEntity(org.apache.nifi.web.api.entity.ActionEntity) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Example 19 with NiFiAuthenticationToken

use of org.apache.nifi.web.security.token.NiFiAuthenticationToken in project nifi by apache.

the class StandardNiFiServiceFacadeTest method testGetActionsForUser2.

@Test
public void testGetActionsForUser2() throws Exception {
    // set the user
    final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build()));
    SecurityContextHolder.getContext().setAuthentication(authentication);
    final HistoryDTO dto = serviceFacade.getActions(new HistoryQueryDTO());
    // verify user 2 only has access to actions for processor 2
    dto.getActions().forEach(action -> {
        if (PROCESSOR_ID_1.equals(action.getSourceId())) {
            assertFalse(action.getCanRead());
            assertNull(action.getAction());
        } else if (PROCESSOR_ID_2.equals(action.getSourceId())) {
            assertTrue(action.getCanRead());
        }
    });
}
Also used : HistoryDTO(org.apache.nifi.web.api.dto.action.HistoryDTO) HistoryQueryDTO(org.apache.nifi.web.api.dto.action.HistoryQueryDTO) Authentication(org.springframework.security.core.Authentication) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Example 20 with NiFiAuthenticationToken

use of org.apache.nifi.web.security.token.NiFiAuthenticationToken in project nifi by apache.

the class StandardNiFiServiceFacadeTest method testGetActionDeniedDespiteControllerAccess.

@Test(expected = AccessDeniedException.class)
public void testGetActionDeniedDespiteControllerAccess() throws Exception {
    // set the user
    final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build()));
    SecurityContextHolder.getContext().setAuthentication(authentication);
    try {
        // get the action
        serviceFacade.getAction(ACTION_ID_1);
        fail();
    } finally {
        // resource exists, but should trigger access denied and will not check the controller
        verify(authorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {

            @Override
            public boolean matches(Object o) {
                return ((AuthorizationRequest) o).getResource().getIdentifier().endsWith(PROCESSOR_ID_1);
            }
        }));
        verify(authorizer, times(0)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {

            @Override
            public boolean matches(Object o) {
                return ((AuthorizationRequest) o).getResource().equals(ResourceFactory.getControllerResource());
            }
        }));
    }
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Authentication(org.springframework.security.core.Authentication) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) ArgumentMatcher(org.mockito.ArgumentMatcher) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Aggregations

NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)29 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)29 Test (org.junit.Test)23 Authentication (org.springframework.security.core.Authentication)17 URI (java.net.URI)12 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)12 ProcessorEntity (org.apache.nifi.web.api.entity.ProcessorEntity)11 HashSet (java.util.HashSet)10 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)10 NodeIdentifier (org.apache.nifi.cluster.protocol.NodeIdentifier)10 Entity (org.apache.nifi.web.api.entity.Entity)8 HashMap (java.util.HashMap)7 StandardNiFiUser (org.apache.nifi.authorization.user.StandardNiFiUser)7 NodeResponse (org.apache.nifi.cluster.manager.NodeResponse)6 InvalidAuthenticationException (org.apache.nifi.web.security.InvalidAuthenticationException)5 Map (java.util.Map)4 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)3 ArgumentMatcher (org.mockito.ArgumentMatcher)3 JwtException (io.jsonwebtoken.JwtException)2 ApiOperation (io.swagger.annotations.ApiOperation)2